[Pkg-shadow-devel] gpasswd, newgrp and gshadow man pages

Nicolas François nicolas.francois@centraliens.net
Tue, 12 Apr 2005 13:37:18 +0200


On Mon, Apr 11, 2005 at 12:52:24AM +0200, Tomasz KÅ‚oczko wrote:
> On Mon, 11 Apr 2005, Nicolas [iso-8859-1] François wrote:
> [..]
> > Tomasz, can you have a look at the attached patch.
> > 
> > It explains why editing /etc/group (without gshadow) doesn't permit t=
o use
> > newgrp (and should permit to close the above bugs).
> 
> I think this kind information in man pages will be useable olny in limi=
ted 
> time. Why ? because after my last time spend working on shadow I think =
now 
> it will be good move shadow to form with by default shadow password 
> handling enabled and also it will be good push more stronger some 
> modyfications for glibc (mainly NSS related) and PAM for make shadow gr=
oup 
> support avalaible on this level.

It would make sense to have shadow group support in the libc (the GNU libc
provides a getspnam API). The problems may then be:
 * what about other libc?
 * shadow groups, IMHO, are not used a lot. libc maintainers may be
   reluctant to add this support for this reason.
   I can't blame anybody on this: I didn't know about it before I looked
   at the Debian BTS;)

> I upcomming 4.0.8 and probably in next version or more I want finish so=
 
> many cleanups as possible for make shadow transformation easier in this=
 
> direction and also prepare basic infrastrucrure in shadow for modularis=
e 
> files/ldap/nis/kerberos/<other_auth_method> backends support.
> After finish this process indicationion in documentation some detals ab=
out 
> SHADOWPWD, SHADOWGRP will be of course unuseable.
> Also ff course this will take more than few months so now .. patch like=
 
> yours is acceptable/correct.

Since SHADOW{PWD,GRP} are always enable, the first part of the paragraph
can be removed ("If compiled with SHADOW (respectively SHADOWGRP) defined,
").  The described behaviour will probably stay even after the
modifications you mention.

> I think shadow support is kind of "standard platform" so #ifdefing shad=
ow 
> handling vode can be removed in next few months (even in embedded 
> systems). As consequence will be removed all SHADOWPWD conditions.

I agree. I don't see any reason to disable shadow on a server/desktop or
embedded linux. IMO, using normal passwords is just like clear text
passwords and a single user (root).



I've got another question regarding group shadow passwords.
A shadow password looks like $1$HAxOrFpA$q/AbX2Cy9J7FZPq040Rw0/
A gshadow password looks like gJ9sWrkMe2YYA
Are group passwords MD5 enabled?
Would it be possible to use the same format?
(maybe this is already the case in versions greater than 4.0.3)
(maybe this could be solved by a group shadow support in PAM)

Kind Regards,
-- 
Nekral